kernel/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch

130 lines
5.9 KiB
Diff
Raw Normal View History

2019-11-25 16:19:55 +00:00
From patchwork Thu Nov 21 16:04:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
X-Patchwork-Id: 11256477
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
for <patchwork-linux-wireless@patchwork.kernel.org>;
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.kernel.org (Postfix) with ESMTP id 8950220637
for <patchwork-linux-wireless@patchwork.kernel.org>;
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Authentication-Results: mail.kernel.org;
dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
header.b="nkGygBtm"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1727141AbfKUQEs (ORCPT
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
Thu, 21 Nov 2019 11:04:48 -0500
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
<rfc822;linux-wireless@vger.kernel.org>);
Thu, 21 Nov 2019 11:04:47 -0500
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
xALFu718003199;
Thu, 21 Nov 2019 08:04:44 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
h=from : to : cc :
subject : date : message-id : mime-version : content-type; s=pfpt0818;
bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
Received: from sc-exch03.marvell.com ([199.233.58.183])
by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
Thu, 21 Nov 2019 08:04:44 -0800
Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
(10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
2019 08:04:43 -0800
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
(10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
Transport; Thu, 21 Nov 2019 08:04:43 -0800
Received: from testmailhost.marvell.com (testmailhost.marvell.com
[10.31.130.105])
by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
Thu, 21 Nov 2019 08:04:40 -0800 (PST)
From: Ganapathi Bhat <gbhat@marvell.com>
To: <linux-wireless@vger.kernel.org>
CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
James Cao <jcao@marvell.com>,
Rakesh Parmar <rakeshp@marvell.com>,
Brian Norris <briannorris@chromium.org>,
Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
huangwen <huangwenabc@gmail.com>,
Ganapathi Bhat <gbhat@marvell.com>
Subject: [PATCH] mwifiex: fix possible heap overflow in
mwifiex_process_country_ie()
Date: Thu, 21 Nov 2019 21:34:38 +0530
Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
X-Mailer: git-send-email 1.9.1
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 74e5056..6dd835f 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
"11D: skip setting domain info in FW\n");
return 0;
}
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
+
memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2];
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
priv->scan_block = false;
if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+ mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
/* Allocate and fill new bss descriptor */
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),